1

I have a pfSense firewall that has a WAN with multiple public IP addresses. I use NAT to port forward certain external IPs to internal IPs.

I can connect from anywhere except same country. When anyone within my country tries to connect to any external IP address and port, they are unsuccessful. I've captured packets on the WAN interface and I see them coming in.

I've double checked and there is indeed a WAN rule that allows the accessed ports to NAT through to the servers that I intend them to. We have no Geo IP checking or any IP address based rules to block traffic to those servers.

-- I have noticed a difference between working connections and non working connections

Using packet capture on pfSense (replaced some numbers with ###.### which are the same numbers for all)

Non working connection:    
22:26:25.140803 IP 190.150.206.159.50852 > 190.###.###.2.80: tcp 0
22:26:25.140828 ARP, Request who-has 190.150.206.159 tell 190.###.###.3, length 28

Working Connection:
22:24:26.164293 IP 24.189.161.72.5550 > 190.###.###.2.80: tcp 0
22:24:26.164305 IP 190.###.###.2.80 > 24.189.161.72.5550: tcp 1460

Another connection from a pc on a different port to a different WAN IP address (Same PFSense)

Non Working computer
09:39:05.612067 IP 190.87.162.111.2463 > 190.###.###.4.3389: tcp 0
09:39:08.610073 IP 190.87.162.111.2463 > 190.###.###.4.3389: tcp 0
09:39:14.608856 IP 190.87.162.111.2463 > 190.###.###.4.3389: tcp 0

Working Computer
09:41:04.412975 IP 68.196.25.71.60666 > 190.###.###.4.3389: tcp 85
09:41:04.459077 IP 190.###.###.4.3389 > 68.196.25.71.60666: tcp 0
09:41:04.492887 IP 68.196.25.71.60666 > 190.###.###.4.3389: tcp 101
09:41:04.537100 IP 190.###.###.4.3389 > 68.196.25.71.60666: tcp 0
09:41:06.177903 IP 190.###.###.4.3389 > 68.196.25.71.60666: tcp 101
09:41:06.309178 IP 68.196.25.71.60666 > 190.###.###.4.3389: tcp 0

I see in the Firewall that it is allowed but I cant figure out what is blocking it.

BrinkDaDrink
  • 121
  • 1
  • 2
  • 9
  • What country are we talking about and what ISP? Also, have you packet sniffed on the WAN interface to see if the traffic is even making it to the WAN interface? – Wesley Dec 23 '15 at 03:54
  • Yes did packet capture and packets are coming in fine. – BrinkDaDrink Dec 23 '15 at 04:04
  • updated main post with a quick show of it using port 21 but doesnt matter what port or what main ip I use. – BrinkDaDrink Dec 23 '15 at 04:10
  • Do you have similar capture on all WAN interfaces, or only on 190.###.###.2 ? – Dusan Bajic Dec 23 '15 at 09:02
  • Currently Which pfsense version and release you are used because not 2.2.6 release available and may bugs are solved. Please find a release note : [Pfsense release note](https://blog.pfsense.org/?p=1971) – Nullpointer Dec 23 '15 at 05:40
  • Doesnt matter which WAN or which port i use. all are rejected. Updated with a capture using the .4 WAN and port 3389 for remote desktop – BrinkDaDrink Dec 23 '15 at 15:45
  • 1
    If 190.###.###.3 is interface on upstream router (your default gateway), it probably has misconfigured subnet mask. – Dusan Bajic Dec 23 '15 at 18:36
  • @dusan.bajic don't know how to give you credit for the help at my level – BrinkDaDrink Dec 23 '15 at 19:47

1 Answers1

1

Thank you @dusan.bajic for the direction.

The subnet mask on the Virtual IPs

190.###.###.6/8
190.###.###.5/8
190.###.###.4/8
190.###.###.3/8

Changed them all to 

190.###.###.6/24
190.###.###.5/24
190.###.###.4/24
190.###.###.3/24

which makes a lot more sense. now external IPs will not be considered internal and everything is working.

BrinkDaDrink
  • 121
  • 1
  • 2
  • 9